1 /* Copyright (c) 2018, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/ssl.h>
16
17 #include <openssl/bytestring.h>
18
19 #include "internal.h"
20
21
22 BSSL_NAMESPACE_BEGIN
23
24 constexpr int kHandoffVersion = 0;
25 constexpr int kHandbackVersion = 0;
26
27 static const unsigned kHandoffTagALPS = CBS_ASN1_CONTEXT_SPECIFIC | 0;
28
29 // early_data_t represents the state of early data in a more compact way than
30 // the 3 bits used by the implementation.
31 enum early_data_t {
32 early_data_not_offered = 0,
33 early_data_accepted = 1,
34 early_data_rejected_hrr = 2,
35 early_data_skipped = 3,
36
37 early_data_max_value = early_data_skipped,
38 };
39
40 // serialize_features adds a description of features supported by this binary to
41 // |out|. Returns true on success and false on error.
serialize_features(CBB * out)42 static bool serialize_features(CBB *out) {
43 CBB ciphers;
44 if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) {
45 return false;
46 }
47 Span<const SSL_CIPHER> all_ciphers = AllCiphers();
48 for (const SSL_CIPHER& cipher : all_ciphers) {
49 if (!CBB_add_u16(&ciphers, static_cast<uint16_t>(cipher.id))) {
50 return false;
51 }
52 }
53 CBB curves;
54 if (!CBB_add_asn1(out, &curves, CBS_ASN1_OCTETSTRING)) {
55 return false;
56 }
57 for (const NamedGroup& g : NamedGroups()) {
58 if (!CBB_add_u16(&curves, g.group_id)) {
59 return false;
60 }
61 }
62 // ALPS is a draft protocol and may change over time. The handoff structure
63 // contains a [0] IMPLICIT OCTET STRING OPTIONAL, containing a list of u16
64 // ALPS versions that the binary supports. For now we name them by codepoint.
65 // Once ALPS is finalized and past the support horizon, this field can be
66 // removed.
67 CBB alps;
68 if (!CBB_add_asn1(out, &alps, kHandoffTagALPS) ||
69 !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings)) {
70 return false;
71 }
72 return CBB_flush(out);
73 }
74
SSL_serialize_handoff(const SSL * ssl,CBB * out,SSL_CLIENT_HELLO * out_hello)75 bool SSL_serialize_handoff(const SSL *ssl, CBB *out,
76 SSL_CLIENT_HELLO *out_hello) {
77 const SSL3_STATE *const s3 = ssl->s3;
78 if (!ssl->server ||
79 s3->hs == nullptr ||
80 s3->rwstate != SSL_ERROR_HANDOFF) {
81 return false;
82 }
83
84 CBB seq;
85 SSLMessage msg;
86 Span<const uint8_t> transcript = s3->hs->transcript.buffer();
87 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
88 !CBB_add_asn1_uint64(&seq, kHandoffVersion) ||
89 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
90 !CBB_add_asn1_octet_string(&seq,
91 reinterpret_cast<uint8_t *>(s3->hs_buf->data),
92 s3->hs_buf->length) ||
93 !serialize_features(&seq) ||
94 !CBB_flush(out) ||
95 !ssl->method->get_message(ssl, &msg) ||
96 !ssl_client_hello_init(ssl, out_hello, msg)) {
97 return false;
98 }
99
100 return true;
101 }
102
SSL_decline_handoff(SSL * ssl)103 bool SSL_decline_handoff(SSL *ssl) {
104 const SSL3_STATE *const s3 = ssl->s3;
105 if (!ssl->server ||
106 s3->hs == nullptr ||
107 s3->rwstate != SSL_ERROR_HANDOFF) {
108 return false;
109 }
110
111 s3->hs->config->handoff = false;
112 return true;
113 }
114
115 // apply_remote_features reads a list of supported features from |in| and
116 // (possibly) reconfigures |ssl| to disallow the negotation of features whose
117 // support has not been indicated. (This prevents the the handshake from
118 // committing to features that are not supported on the handoff/handback side.)
apply_remote_features(SSL * ssl,CBS * in)119 static bool apply_remote_features(SSL *ssl, CBS *in) {
120 CBS ciphers;
121 if (!CBS_get_asn1(in, &ciphers, CBS_ASN1_OCTETSTRING)) {
122 return false;
123 }
124 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> supported(sk_SSL_CIPHER_new_null());
125 while (CBS_len(&ciphers)) {
126 uint16_t id;
127 if (!CBS_get_u16(&ciphers, &id)) {
128 return false;
129 }
130 const SSL_CIPHER *cipher = SSL_get_cipher_by_value(id);
131 if (!cipher) {
132 continue;
133 }
134 if (!sk_SSL_CIPHER_push(supported.get(), cipher)) {
135 return false;
136 }
137 }
138 STACK_OF(SSL_CIPHER) *configured =
139 ssl->config->cipher_list ? ssl->config->cipher_list->ciphers.get()
140 : ssl->ctx->cipher_list->ciphers.get();
141 bssl::UniquePtr<STACK_OF(SSL_CIPHER)> unsupported(sk_SSL_CIPHER_new_null());
142 for (const SSL_CIPHER *configured_cipher : configured) {
143 if (sk_SSL_CIPHER_find(supported.get(), nullptr, configured_cipher)) {
144 continue;
145 }
146 if (!sk_SSL_CIPHER_push(unsupported.get(), configured_cipher)) {
147 return false;
148 }
149 }
150 if (sk_SSL_CIPHER_num(unsupported.get()) && !ssl->config->cipher_list) {
151 ssl->config->cipher_list = bssl::MakeUnique<SSLCipherPreferenceList>();
152 if (!ssl->config->cipher_list->Init(*ssl->ctx->cipher_list)) {
153 return false;
154 }
155 }
156 for (const SSL_CIPHER *unsupported_cipher : unsupported.get()) {
157 ssl->config->cipher_list->Remove(unsupported_cipher);
158 }
159 if (sk_SSL_CIPHER_num(SSL_get_ciphers(ssl)) == 0) {
160 return false;
161 }
162
163 CBS curves;
164 if (!CBS_get_asn1(in, &curves, CBS_ASN1_OCTETSTRING)) {
165 return false;
166 }
167 Array<uint16_t> supported_curves;
168 if (!supported_curves.Init(CBS_len(&curves) / 2)) {
169 return false;
170 }
171 size_t idx = 0;
172 while (CBS_len(&curves)) {
173 uint16_t curve;
174 if (!CBS_get_u16(&curves, &curve)) {
175 return false;
176 }
177 supported_curves[idx++] = curve;
178 }
179 Span<const uint16_t> configured_curves =
180 tls1_get_grouplist(ssl->s3->hs.get());
181 Array<uint16_t> new_configured_curves;
182 if (!new_configured_curves.Init(configured_curves.size())) {
183 return false;
184 }
185 idx = 0;
186 for (uint16_t configured_curve : configured_curves) {
187 bool ok = false;
188 for (uint16_t supported_curve : supported_curves) {
189 if (supported_curve == configured_curve) {
190 ok = true;
191 break;
192 }
193 }
194 if (ok) {
195 new_configured_curves[idx++] = configured_curve;
196 }
197 }
198 if (idx == 0) {
199 return false;
200 }
201 new_configured_curves.Shrink(idx);
202 ssl->config->supported_group_list = std::move(new_configured_curves);
203
204 CBS alps;
205 CBS_init(&alps, nullptr, 0);
206 if (!CBS_get_optional_asn1(in, &alps, /*out_present=*/nullptr,
207 kHandoffTagALPS)) {
208 return false;
209 }
210 bool supports_alps = false;
211 while (CBS_len(&alps) != 0) {
212 uint16_t id;
213 if (!CBS_get_u16(&alps, &id)) {
214 return false;
215 }
216 // For now, we only support one ALPS code point, so we only need to extract
217 // a boolean signal from the feature list.
218 if (id == TLSEXT_TYPE_application_settings) {
219 supports_alps = true;
220 break;
221 }
222 }
223 if (!supports_alps) {
224 ssl->config->alps_configs.clear();
225 }
226
227 return true;
228 }
229
230 // uses_disallowed_feature returns true iff |ssl| enables a feature that
231 // disqualifies it for split handshakes.
uses_disallowed_feature(const SSL * ssl)232 static bool uses_disallowed_feature(const SSL *ssl) {
233 return ssl->method->is_dtls || (ssl->config->cert && ssl->config->cert->dc) ||
234 ssl->config->quic_transport_params.size() > 0;
235 }
236
SSL_apply_handoff(SSL * ssl,Span<const uint8_t> handoff)237 bool SSL_apply_handoff(SSL *ssl, Span<const uint8_t> handoff) {
238 if (uses_disallowed_feature(ssl)) {
239 return false;
240 }
241
242 CBS seq, handoff_cbs(handoff);
243 uint64_t handoff_version;
244 if (!CBS_get_asn1(&handoff_cbs, &seq, CBS_ASN1_SEQUENCE) ||
245 !CBS_get_asn1_uint64(&seq, &handoff_version) ||
246 handoff_version != kHandoffVersion) {
247 return false;
248 }
249
250 CBS transcript, hs_buf;
251 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
252 !CBS_get_asn1(&seq, &hs_buf, CBS_ASN1_OCTETSTRING) ||
253 !apply_remote_features(ssl, &seq)) {
254 return false;
255 }
256
257 SSL_set_accept_state(ssl);
258
259 SSL3_STATE *const s3 = ssl->s3;
260 s3->v2_hello_done = true;
261 s3->has_message = true;
262
263 s3->hs_buf.reset(BUF_MEM_new());
264 if (!s3->hs_buf ||
265 !BUF_MEM_append(s3->hs_buf.get(), CBS_data(&hs_buf), CBS_len(&hs_buf))) {
266 return false;
267 }
268
269 if (CBS_len(&transcript) != 0) {
270 s3->hs->transcript.Update(transcript);
271 s3->is_v2_hello = true;
272 }
273 s3->hs->handback = true;
274
275 return true;
276 }
277
SSL_serialize_handback(const SSL * ssl,CBB * out)278 bool SSL_serialize_handback(const SSL *ssl, CBB *out) {
279 if (!ssl->server || uses_disallowed_feature(ssl)) {
280 return false;
281 }
282 const SSL3_STATE *const s3 = ssl->s3;
283 SSL_HANDSHAKE *const hs = s3->hs.get();
284 handback_t type;
285 switch (hs->state) {
286 case state12_read_change_cipher_spec:
287 type = handback_after_session_resumption;
288 break;
289 case state12_read_client_certificate:
290 type = handback_after_ecdhe;
291 break;
292 case state12_finish_server_handshake:
293 type = handback_after_handshake;
294 break;
295 case state12_tls13:
296 if (hs->tls13_state != state13_send_half_rtt_ticket) {
297 return false;
298 }
299 type = handback_tls13;
300 break;
301 default:
302 return false;
303 }
304
305 size_t hostname_len = 0;
306 if (s3->hostname) {
307 hostname_len = strlen(s3->hostname.get());
308 }
309
310 Span<const uint8_t> transcript;
311 if (type != handback_after_handshake) {
312 transcript = s3->hs->transcript.buffer();
313 }
314 size_t write_iv_len = 0;
315 const uint8_t *write_iv = nullptr;
316 if ((type == handback_after_session_resumption ||
317 type == handback_after_handshake) &&
318 ssl->version == TLS1_VERSION &&
319 SSL_CIPHER_is_block_cipher(s3->aead_write_ctx->cipher()) &&
320 !s3->aead_write_ctx->GetIV(&write_iv, &write_iv_len)) {
321 return false;
322 }
323 size_t read_iv_len = 0;
324 const uint8_t *read_iv = nullptr;
325 if (type == handback_after_handshake &&
326 ssl->version == TLS1_VERSION &&
327 SSL_CIPHER_is_block_cipher(s3->aead_read_ctx->cipher()) &&
328 !s3->aead_read_ctx->GetIV(&read_iv, &read_iv_len)) {
329 return false;
330 }
331
332 // TODO(mab): make sure everything is serialized.
333 CBB seq, key_share;
334 const SSL_SESSION *session;
335 if (type == handback_tls13) {
336 session = hs->new_session.get();
337 } else {
338 session = s3->session_reused ? ssl->session.get() : hs->new_session.get();
339 }
340 if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
341 !CBB_add_asn1_uint64(&seq, kHandbackVersion) ||
342 !CBB_add_asn1_uint64(&seq, type) ||
343 !CBB_add_asn1_octet_string(&seq, s3->read_sequence,
344 sizeof(s3->read_sequence)) ||
345 !CBB_add_asn1_octet_string(&seq, s3->write_sequence,
346 sizeof(s3->write_sequence)) ||
347 !CBB_add_asn1_octet_string(&seq, s3->server_random,
348 sizeof(s3->server_random)) ||
349 !CBB_add_asn1_octet_string(&seq, s3->client_random,
350 sizeof(s3->client_random)) ||
351 !CBB_add_asn1_octet_string(&seq, read_iv, read_iv_len) ||
352 !CBB_add_asn1_octet_string(&seq, write_iv, write_iv_len) ||
353 !CBB_add_asn1_bool(&seq, s3->session_reused) ||
354 !CBB_add_asn1_bool(&seq, s3->channel_id_valid) ||
355 !ssl_session_serialize(session, &seq) ||
356 !CBB_add_asn1_octet_string(&seq, s3->next_proto_negotiated.data(),
357 s3->next_proto_negotiated.size()) ||
358 !CBB_add_asn1_octet_string(&seq, s3->alpn_selected.data(),
359 s3->alpn_selected.size()) ||
360 !CBB_add_asn1_octet_string(
361 &seq, reinterpret_cast<uint8_t *>(s3->hostname.get()),
362 hostname_len) ||
363 !CBB_add_asn1_octet_string(&seq, s3->channel_id,
364 sizeof(s3->channel_id)) ||
365 !CBB_add_asn1_bool(&seq, ssl->s3->token_binding_negotiated) ||
366 !CBB_add_asn1_uint64(&seq, ssl->s3->negotiated_token_binding_param) ||
367 !CBB_add_asn1_bool(&seq, s3->hs->next_proto_neg_seen) ||
368 !CBB_add_asn1_bool(&seq, s3->hs->cert_request) ||
369 !CBB_add_asn1_bool(&seq, s3->hs->extended_master_secret) ||
370 !CBB_add_asn1_bool(&seq, s3->hs->ticket_expected) ||
371 !CBB_add_asn1_uint64(&seq, SSL_CIPHER_get_id(s3->hs->new_cipher)) ||
372 !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) ||
373 !CBB_add_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
374 return false;
375 }
376 if (type == handback_after_ecdhe &&
377 !s3->hs->key_shares[0]->Serialize(&key_share)) {
378 return false;
379 }
380 if (type == handback_tls13) {
381 early_data_t early_data;
382 // Check early data invariants.
383 if (ssl->enable_early_data ==
384 (s3->early_data_reason == ssl_early_data_disabled)) {
385 return false;
386 }
387 if (hs->early_data_offered) {
388 if (s3->early_data_accepted && !s3->skip_early_data) {
389 early_data = early_data_accepted;
390 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
391 early_data = early_data_rejected_hrr;
392 } else if (!s3->early_data_accepted && s3->skip_early_data) {
393 early_data = early_data_skipped;
394 } else {
395 return false;
396 }
397 } else if (!s3->early_data_accepted && !s3->skip_early_data) {
398 early_data = early_data_not_offered;
399 } else {
400 return false;
401 }
402 if (!CBB_add_asn1_octet_string(&seq, hs->client_traffic_secret_0().data(),
403 hs->client_traffic_secret_0().size()) ||
404 !CBB_add_asn1_octet_string(&seq, hs->server_traffic_secret_0().data(),
405 hs->server_traffic_secret_0().size()) ||
406 !CBB_add_asn1_octet_string(&seq, hs->client_handshake_secret().data(),
407 hs->client_handshake_secret().size()) ||
408 !CBB_add_asn1_octet_string(&seq, hs->server_handshake_secret().data(),
409 hs->server_handshake_secret().size()) ||
410 !CBB_add_asn1_octet_string(&seq, hs->secret().data(),
411 hs->secret().size()) ||
412 !CBB_add_asn1_octet_string(&seq, s3->exporter_secret,
413 s3->exporter_secret_len) ||
414 !CBB_add_asn1_bool(&seq, s3->used_hello_retry_request) ||
415 !CBB_add_asn1_bool(&seq, hs->accept_psk_mode) ||
416 !CBB_add_asn1_int64(&seq, s3->ticket_age_skew) ||
417 !CBB_add_asn1_uint64(&seq, s3->early_data_reason) ||
418 !CBB_add_asn1_uint64(&seq, early_data)) {
419 return false;
420 }
421 if (early_data == early_data_accepted &&
422 !CBB_add_asn1_octet_string(&seq, hs->early_traffic_secret().data(),
423 hs->early_traffic_secret().size())) {
424 return false;
425 }
426 }
427 return CBB_flush(out);
428 }
429
CopyExact(Span<uint8_t> out,const CBS * in)430 static bool CopyExact(Span<uint8_t> out, const CBS *in) {
431 if (CBS_len(in) != out.size()) {
432 return false;
433 }
434 OPENSSL_memcpy(out.data(), CBS_data(in), out.size());
435 return true;
436 }
437
SSL_apply_handback(SSL * ssl,Span<const uint8_t> handback)438 bool SSL_apply_handback(SSL *ssl, Span<const uint8_t> handback) {
439 if (ssl->do_handshake != nullptr ||
440 ssl->method->is_dtls) {
441 return false;
442 }
443
444 SSL3_STATE *const s3 = ssl->s3;
445 uint64_t handback_version, negotiated_token_binding_param, cipher, type_u64;
446
447 CBS seq, read_seq, write_seq, server_rand, client_rand, read_iv, write_iv,
448 next_proto, alpn, hostname, channel_id, transcript, key_share;
449 int session_reused, channel_id_valid, cert_request, extended_master_secret,
450 ticket_expected, token_binding_negotiated, next_proto_neg_seen;
451 SSL_SESSION *session = nullptr;
452
453 CBS handback_cbs(handback);
454 if (!CBS_get_asn1(&handback_cbs, &seq, CBS_ASN1_SEQUENCE) ||
455 !CBS_get_asn1_uint64(&seq, &handback_version) ||
456 handback_version != kHandbackVersion ||
457 !CBS_get_asn1_uint64(&seq, &type_u64) ||
458 type_u64 > handback_max_value) {
459 return false;
460 }
461
462 handback_t type = static_cast<handback_t>(type_u64);
463 if (!CBS_get_asn1(&seq, &read_seq, CBS_ASN1_OCTETSTRING) ||
464 CBS_len(&read_seq) != sizeof(s3->read_sequence) ||
465 !CBS_get_asn1(&seq, &write_seq, CBS_ASN1_OCTETSTRING) ||
466 CBS_len(&write_seq) != sizeof(s3->write_sequence) ||
467 !CBS_get_asn1(&seq, &server_rand, CBS_ASN1_OCTETSTRING) ||
468 CBS_len(&server_rand) != sizeof(s3->server_random) ||
469 !CBS_copy_bytes(&server_rand, s3->server_random,
470 sizeof(s3->server_random)) ||
471 !CBS_get_asn1(&seq, &client_rand, CBS_ASN1_OCTETSTRING) ||
472 CBS_len(&client_rand) != sizeof(s3->client_random) ||
473 !CBS_copy_bytes(&client_rand, s3->client_random,
474 sizeof(s3->client_random)) ||
475 !CBS_get_asn1(&seq, &read_iv, CBS_ASN1_OCTETSTRING) ||
476 !CBS_get_asn1(&seq, &write_iv, CBS_ASN1_OCTETSTRING) ||
477 !CBS_get_asn1_bool(&seq, &session_reused) ||
478 !CBS_get_asn1_bool(&seq, &channel_id_valid)) {
479 return false;
480 }
481
482 s3->hs = ssl_handshake_new(ssl);
483 SSL_HANDSHAKE *const hs = s3->hs.get();
484 if (!session_reused || type == handback_tls13) {
485 hs->new_session =
486 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
487 session = hs->new_session.get();
488 } else {
489 ssl->session =
490 SSL_SESSION_parse(&seq, ssl->ctx->x509_method, ssl->ctx->pool);
491 session = ssl->session.get();
492 }
493
494 if (!session || !CBS_get_asn1(&seq, &next_proto, CBS_ASN1_OCTETSTRING) ||
495 !CBS_get_asn1(&seq, &alpn, CBS_ASN1_OCTETSTRING) ||
496 !CBS_get_asn1(&seq, &hostname, CBS_ASN1_OCTETSTRING) ||
497 !CBS_get_asn1(&seq, &channel_id, CBS_ASN1_OCTETSTRING) ||
498 CBS_len(&channel_id) != sizeof(s3->channel_id) ||
499 !CBS_copy_bytes(&channel_id, s3->channel_id,
500 sizeof(s3->channel_id)) ||
501 !CBS_get_asn1_bool(&seq, &token_binding_negotiated) ||
502 !CBS_get_asn1_uint64(&seq, &negotiated_token_binding_param) ||
503 !CBS_get_asn1_bool(&seq, &next_proto_neg_seen) ||
504 !CBS_get_asn1_bool(&seq, &cert_request) ||
505 !CBS_get_asn1_bool(&seq, &extended_master_secret) ||
506 !CBS_get_asn1_bool(&seq, &ticket_expected) ||
507 !CBS_get_asn1_uint64(&seq, &cipher)) {
508 return false;
509 }
510 if ((hs->new_cipher =
511 SSL_get_cipher_by_value(static_cast<uint16_t>(cipher))) == nullptr) {
512 return false;
513 }
514 if (!CBS_get_asn1(&seq, &transcript, CBS_ASN1_OCTETSTRING) ||
515 !CBS_get_asn1(&seq, &key_share, CBS_ASN1_SEQUENCE)) {
516 return false;
517 }
518 CBS client_handshake_secret, server_handshake_secret, client_traffic_secret_0,
519 server_traffic_secret_0, secret, exporter_secret, early_traffic_secret;
520 if (type == handback_tls13) {
521 int used_hello_retry_request, accept_psk_mode;
522 uint64_t early_data, early_data_reason;
523 int64_t ticket_age_skew;
524 if (!CBS_get_asn1(&seq, &client_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
525 !CBS_get_asn1(&seq, &server_traffic_secret_0, CBS_ASN1_OCTETSTRING) ||
526 !CBS_get_asn1(&seq, &client_handshake_secret, CBS_ASN1_OCTETSTRING) ||
527 !CBS_get_asn1(&seq, &server_handshake_secret, CBS_ASN1_OCTETSTRING) ||
528 !CBS_get_asn1(&seq, &secret, CBS_ASN1_OCTETSTRING) ||
529 !CBS_get_asn1(&seq, &exporter_secret, CBS_ASN1_OCTETSTRING) ||
530 !CBS_get_asn1_bool(&seq, &used_hello_retry_request) ||
531 !CBS_get_asn1_bool(&seq, &accept_psk_mode) ||
532 !CBS_get_asn1_int64(&seq, &ticket_age_skew) ||
533 !CBS_get_asn1_uint64(&seq, &early_data_reason) ||
534 early_data_reason > ssl_early_data_reason_max_value ||
535 !CBS_get_asn1_uint64(&seq, &early_data) ||
536 early_data > early_data_max_value) {
537 return false;
538 }
539 early_data_t early_data_type = static_cast<early_data_t>(early_data);
540 if (early_data_type == early_data_accepted &&
541 !CBS_get_asn1(&seq, &early_traffic_secret, CBS_ASN1_OCTETSTRING)) {
542 return false;
543 }
544 if (ticket_age_skew > std::numeric_limits<int32_t>::max() ||
545 ticket_age_skew < std::numeric_limits<int32_t>::min()) {
546 return false;
547 }
548 s3->ticket_age_skew = static_cast<int32_t>(ticket_age_skew);
549 s3->used_hello_retry_request = used_hello_retry_request;
550 hs->accept_psk_mode = accept_psk_mode;
551
552 s3->early_data_reason =
553 static_cast<ssl_early_data_reason_t>(early_data_reason);
554 ssl->enable_early_data = s3->early_data_reason != ssl_early_data_disabled;
555 s3->skip_early_data = false;
556 s3->early_data_accepted = false;
557 hs->early_data_offered = false;
558 switch (early_data_type) {
559 case early_data_not_offered:
560 break;
561 case early_data_accepted:
562 s3->early_data_accepted = true;
563 hs->early_data_offered = true;
564 hs->can_early_write = true;
565 hs->can_early_read = true;
566 hs->in_early_data = true;
567 break;
568 case early_data_rejected_hrr:
569 hs->early_data_offered = true;
570 break;
571 case early_data_skipped:
572 s3->skip_early_data = true;
573 hs->early_data_offered = true;
574 break;
575 default:
576 return false;
577 }
578 } else {
579 s3->early_data_reason = ssl_early_data_protocol_version;
580 }
581
582 ssl->version = session->ssl_version;
583 s3->have_version = true;
584 if (!ssl_method_supports_version(ssl->method, ssl->version) ||
585 session->cipher != hs->new_cipher ||
586 ssl_protocol_version(ssl) < SSL_CIPHER_get_min_version(session->cipher) ||
587 SSL_CIPHER_get_max_version(session->cipher) < ssl_protocol_version(ssl)) {
588 return false;
589 }
590 ssl->do_handshake = ssl_server_handshake;
591 ssl->server = true;
592 switch (type) {
593 case handback_after_session_resumption:
594 hs->state = state12_read_change_cipher_spec;
595 if (!session_reused) {
596 return false;
597 }
598 break;
599 case handback_after_ecdhe:
600 hs->state = state12_read_client_certificate;
601 if (session_reused) {
602 return false;
603 }
604 break;
605 case handback_after_handshake:
606 hs->state = state12_finish_server_handshake;
607 break;
608 case handback_tls13:
609 hs->state = state12_tls13;
610 hs->tls13_state = state13_send_half_rtt_ticket;
611 break;
612 default:
613 return false;
614 }
615 s3->session_reused = session_reused;
616 s3->channel_id_valid = channel_id_valid;
617 s3->next_proto_negotiated.CopyFrom(next_proto);
618 s3->alpn_selected.CopyFrom(alpn);
619
620 const size_t hostname_len = CBS_len(&hostname);
621 if (hostname_len == 0) {
622 s3->hostname.reset();
623 } else {
624 char *hostname_str = nullptr;
625 if (!CBS_strdup(&hostname, &hostname_str)) {
626 return false;
627 }
628 s3->hostname.reset(hostname_str);
629 }
630
631 s3->token_binding_negotiated = token_binding_negotiated;
632 s3->negotiated_token_binding_param =
633 static_cast<uint8_t>(negotiated_token_binding_param);
634 hs->next_proto_neg_seen = next_proto_neg_seen;
635 hs->wait = ssl_hs_flush;
636 hs->extended_master_secret = extended_master_secret;
637 hs->ticket_expected = ticket_expected;
638 s3->aead_write_ctx->SetVersionIfNullCipher(ssl->version);
639 hs->cert_request = cert_request;
640
641 if (type != handback_after_handshake &&
642 (!hs->transcript.Init() ||
643 !hs->transcript.InitHash(ssl_protocol_version(ssl), hs->new_cipher) ||
644 !hs->transcript.Update(transcript))) {
645 return false;
646 }
647 if (type == handback_tls13) {
648 hs->ResizeSecrets(hs->transcript.DigestLen());
649 if (!CopyExact(hs->client_traffic_secret_0(), &client_traffic_secret_0) ||
650 !CopyExact(hs->server_traffic_secret_0(), &server_traffic_secret_0) ||
651 !CopyExact(hs->client_handshake_secret(), &client_handshake_secret) ||
652 !CopyExact(hs->server_handshake_secret(), &server_handshake_secret) ||
653 !CopyExact(hs->secret(), &secret) ||
654 !CopyExact({s3->exporter_secret, hs->transcript.DigestLen()},
655 &exporter_secret)) {
656 return false;
657 }
658 s3->exporter_secret_len = CBS_len(&exporter_secret);
659
660 if (s3->early_data_accepted &&
661 !CopyExact(hs->early_traffic_secret(), &early_traffic_secret)) {
662 return false;
663 }
664 }
665 Array<uint8_t> key_block;
666 switch (type) {
667 case handback_after_session_resumption:
668 // The write keys are installed after server Finished, but the client
669 // keys must wait for ChangeCipherSpec.
670 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
671 write_iv)) {
672 return false;
673 }
674 break;
675 case handback_after_ecdhe:
676 // The premaster secret is not yet computed, so install no keys.
677 break;
678 case handback_after_handshake:
679 // The handshake is complete, so both keys are installed.
680 if (!tls1_configure_aead(ssl, evp_aead_seal, &key_block, session,
681 write_iv) ||
682 !tls1_configure_aead(ssl, evp_aead_open, &key_block, session,
683 read_iv)) {
684 return false;
685 }
686 break;
687 case handback_tls13:
688 // After server Finished, the application write keys are installed, but
689 // none of the read keys. The read keys are installed in the state machine
690 // immediately after processing handback.
691 if (!tls13_set_traffic_key(ssl, ssl_encryption_application, evp_aead_seal,
692 hs->new_session.get(),
693 hs->server_traffic_secret_0())) {
694 return false;
695 }
696 break;
697 }
698 if (!CopyExact({s3->read_sequence, sizeof(s3->read_sequence)}, &read_seq) ||
699 !CopyExact({s3->write_sequence, sizeof(s3->write_sequence)},
700 &write_seq)) {
701 return false;
702 }
703 if (type == handback_after_ecdhe &&
704 (hs->key_shares[0] = SSLKeyShare::Create(&key_share)) == nullptr) {
705 return false;
706 }
707 return true; // Trailing data allowed for extensibility.
708 }
709
710 BSSL_NAMESPACE_END
711